GATEKEEPER BLOG

When CMS Software Such as Drupal is a Threat

Sometimes, insider threats are less about people maliciously attacking your network but more about the software you install. Any type of software could have vulnerabilities including what would otherwise seem like innocuous software. Even CMS (content management system) software could pose a threat. This is exactly what happened with the latest Drupal threat, which is a vulnerability introduced by the Drupal CMS and patched by developers but lately taken advantage of by cybercriminals.

Named “Drpalgeddon2” by attackers, the latest cybercriminal attack focuses on the common CMS software Drupal. The software isn’t the most common CMS on the market, but it still holds a big chunk of interest from developers and content managers that preferred Drupal over the other common CMS systems such as WordPress or Joomla. Because Drupal didn’t have the major market share, it wasn’t a common target for a lot of attackers. Being less popular has its advantages in the cybercriminal world. Because you aren’t as popular, fewer scripts and strategies are made against your software. However, it also means that cybersecurity experts spend less time focusing on your code and more time with more popular code bases. It also means that fewer bugs will be found, and it can mean that cybercriminals can find exploits and vulnerabilities before you do.

This is the case of the Drupal vulnerability that is marked as severe and unfortunately widespread among many Drupal sites. The vulnerability allows an attacker to change or delete data stored on a Drupal site, which could be severe for any enterprise that depends on Drupal for all of its content management.

The exploit makes it easy for any outsider to inject code into a site and take over the server simply by typing a URL into a browser. The injected code gives the attacker the ability to run code for whatever service they prefer, and the result is that the attacker can gain access to any data or service that they please. This could be a devastating blow to any enterprise that relies on Drupal as its content management system and stores sensitive data from its users. This data could be harmless, but it could also be PII (personally identifiable information) if it’s obtained from any part of the Drupal site.

The exploit is being targeted by three main cybercriminal groups, according to Ars Technica. The three groups are able to probe vulnerabilities and other issues on a Drupal served web server and hack the site if it isn’t patched. Drupal released a patch in March 2018, but many site owners are unaware of the new patch and have failed to update their software with the critical patch.

If the attackers find that the Drupal site is vulnerable to exploits, they then target all the other possibilities including vulnerabilities of other sites including WordPress, Webdav, WebLogic, Webuzo, and any other site on their list. The vector is if the site has not patched itself since the vulnerability was found back in 2011. Since many site owners fail to patch their site, this makes the attacker even more dangerous.

If the attackers are able to find vulnerabilities on these sites, then the corporation could find that several of their critical content management systems is a point for a security flaw that gives an attacker the ability to steal data and take over a web server silently without the site owner ever having any notification that an attacker is lodged in the backend system.

These errors come from negligence from insiders who fail to update software. To learn more about protecting your site from insider threats, check out GateKeeper.